[[linux:firewall]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux:firewall [2008/04/29 11:08]
greebo 		linux:firewall [2019/04/15 10:18]
zagi
Line 1: Line 1:
-  #!/bin/bash +[[linux:firewall6|Linux IPV6 firewall]]\\ 
-  echo "*************" +[[linux:firewall_blocktor| how to block TOR network in realtime]]\\  
-  echo "* Running $0" +[[http://www.fs-security.com/|FS security]]\\ 
-  echo "*************"+ 
 +<code bash |> 
 + 
 +#!/bin/bash 
 +echo "*************" 
 +echo "* Running $0" 
 +echo "*************
 +echo "* http://tnt.aufbix.org/ linux firewall script" 
 + 
 +echo 
 +echo  "It was sad music. But it waved its sadness like a battle flag." 
 +echo  " It said the universe had done all it could, but you were still alive." 
 +echo 
 +echo " Discworld" 
 + 
 +TNX_IDIOT="yes" 
 + 
 +echo " how iptables work in linux kernel" 
 +echo 
 +echo ">-[prerouting]-> + >-[forward]-> + >-[postrouting]->" 
 +echo " | |" 
 +echo " [input] >--->[output]" 
 + 
 +# path to iptables and iproute2 files 
 +IPTB="/sbin/iptables" 
 +IP="/sbin/ip" 
 + 
 +# name of our Internet and intranet interfaces 
 +# use INTRANET="eth1+" or INTERNET="eth0+" 
 +# if you have more ifaces (example: eth0:0)  towards Intranet/Internet 
 +
 +# WAN Interface 
 +INTERNET="eth0" 
 +# ADSL - INTERNET="ppp0" 
 +
 +# LAN Interface 
 +INTRANET="eth1"
      
-  echo +# what IPs are used in intranet 
-  echo  "It was sad musicBut it waved its sadness like a battle flag.+LAN="192.168.6.0/24"
-  echo  " It said the universe had done all it could, but you were still alive.+
-  echo +
-  echo " Discworld"+
      
-  TNX_IDIOT="yes"+# what is our static  IP (if we have one) 
 +GW_IP="X.X.X.X"
      
-  echo " how iptables work in linux kernel 2.4.x/2.6.x+# what TCP ports/services we allow (and FORWARD) from Internet 
-  echo +# use " as delimiter 
-  echo ">-[prerouting]-> + >-[forward]-> + >-[postrouting]->+TCP_PORTS="25 53 80" 
-  echo " | |+ 
-  echo " [input] >--->[output]"+# what UDP ports/services we allow (and FORWARD) from Internet 
 +# use ",as delimiter 
 +UDP_PORTS="53,123" 
 + 
 +# which ports we forward into our intranet 
 +# use ",as delimiter 
 +FWD_TCP_PORTS="1214,6346"
      
-  path to iptables and iproute2 files +set to 1 if we you have intranet 
-   +WE_HAVE_INTRANET="0
-  IPTB="/sbin/iptables+ 
-  IP="/sbin/ip" +#  
-   +TRUSTED_HOSTS="193.77.1.1/32 \ 
-  name of our Internet and intranet interfaces +212.93.224.0/19 \ 
-  INTRANET="eth1" +212.18.32.0/24" 
-  INTERNET="eth0" + 
-  # ADSL - INTERNET="ppp0" +enable IP forwarding (routing!
-   +echo "0> /proc/sys/net/ipv4/ip_forward 
-  # what IPs are used in intranet + 
-  LAN="192.168.6.0/24" +enable PMTU (mss/mtu discovery
-   +echo "1" > /proc/sys/net/ipv4/tcp_mtu_probing 
-  what is our static  IP (if we have one+ 
-  GW_IP="X.X.X.X+# first we flush the tables and policy 
-   +$IPTB -F 
-  what TCP ports/services we allow (and FORWARD) from Internet +$IPTB -X 
-  # use " " as delimiter +$IPTB -F INPUT 
-  TCP_PORTS="22 25 53 80" +$IPTB -F FORWARD 
-   +$IPTB -F OUTPUT 
-  # what UDP ports/services we allow (and FORWARDfrom Internet + 
-  # use "," as delimiter +$IPTB -t nat -F 
-  UDP_PORTS="53" + 
-   +# new chain for SSH and HTTP access 
-  # which ports we forward into our intranet +$IPTB -N ssh-access 
-  # use "," as delimiter +$IPTB -N http-access 
-  FWD_TCP_PORTS="1214,6346" + 
-   +# port redirection (transparent proxy) 
-  # set to if we you have intranet +# redirect all outgoing traffic that is NOT for the GW to local (GW) ports 
-  WE_HAVE_INTRANET="0" +# DNS (53/tcp and 53/udp) and SMTP (25/tcp) 
-   +#$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT 
-  echo "0" > /proc/sys/net/ipv4/ip_forward +#$IPTB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT 
-   +#$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 25 -j REDIRECT --to-ports 25 
-  # first we flush the tables and policy + 
-  $IPTB -F +# INPUT TABLE 
-  $IPTB -F INPUT +$IPTB -P INPUT DROP 
-  $IPTB -F FORWARD + 
-  $IPTB -F OUTPUT +# statefull firewall makes most hits 
-  $IPTB -t nat -F +$IPTB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
-   + 
-  # port redirection (transparent proxy) +# move all SSH and HTTP traffic to apropriate chains 
-  #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT +$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access 
-  #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT +$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access 
-  #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 25 -j REDIRECT --to-ports 25 + 
-   +# ssh chain 
-  # INPUT TABLE +for sshhostese in $TRUSTED_HOSTS; 
-  $IPTB -P INPUT DROP +        do 
-   +        $IPTB -A ssh-access -s $sshhostese -j ACCEPT 
-  # statefull firewall +        done 
-  $IPTB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + # Connection limit for SSH connections (1 connection per minute PER source IP) 
-   + # - usefull against ssh scanners if you MUST open SSH for every IP! 
-  # IPSEC +$IPTB -A ssh-access -m hashlimit --hashlimit 1/minute --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT 
-  #$IPTB -A INPUT -i $INTERNET -p udp --sport 500 --dport 500  -j ACCEPT +$IPTB -A ssh-access -j DROP 
-  #$IPTB -A INPUT -i $INTERNET -p 50 -j ACCEPT +# ssh 
-  #$IPTB -A INPUT -i $INTERNET -p 51 -j ACCEPT + 
-   +# http 
-  # we allow all traffic from $INTRANET and localhost interfaces +for httphostese in $TRUSTED_HOSTS; 
-  $IPTB -A INPUT -i $INTRANET -j ACCEPT +        do 
-  $IPTB -A INPUT -i lo -j ACCEPT +        $IPTB -A http-access -s $httphostese -j ACCEPT 
-   +        done 
-  #$IPTB -A INPUT -m state --state INVALID -m limit --limit 1/minute -j LOG --log-prefix "INVALID packet> " +# http 
-  #$IPTB -A INPUT -m state --state INVALID -j DROP + 
-   +# IPSEC 
-  +#$IPTB -A INPUT -i $INTERNET -p udp --sport 500 --dport 500  -j ACCEPT 
-  $IPTB -A INPUT -i $INTERNET -m pkttype --pkt-type broadcast -j DROP +#$IPTB -A INPUT -i $INTERNET -p 50 -j ACCEPT 
-  $IPTB -A INPUT -i $INTERNET -m pkttype --pkt-type multicast -j DROP +#$IPTB -A INPUT -i $INTERNET -p 51 -j ACCEPT 
-    + 
-  #FIN is set and ACK is not +# we allow all traffic from $INTRANET and localhost interfaces 
-  $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP +$IPTB -A INPUT -i $INTRANET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 
-  $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "FIN> " +$IPTB -A INPUT -i lo  -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 
-   + 
-  #PSH is set and ACK is not +$IPTB -A INPUT -m state --state INVALID -m limit --limit 1/minute -j LOG --log-prefix "packet not in conntrack> " 
-  $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP +$IPTB -A INPUT -m state --state INVALID -j DROP 
-  $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "PSH> " + 
-   +
-  #URG is set and ACK is not +$IPTB -A INPUT -i $INTERNET -m pkttype --pkt-type broadcast -j DROP 
-  $IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP +$IPTB -A INPUT -i $INTERNET -m pkttype --pkt-type multicast -j DROP 
-  $IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "URG> " +  
-   +#FIN is set and ACK is not 
-  # Block portscans: +$IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "FIN> " 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL ALL  -j LOG --log-prefix "XMAS scan> " +$IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL ALL  -j DROP + 
-   +#PSH is set and ACK is not 
-  #no flag is set +$IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "PSH> " 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NULL scan> " +$IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL NONE -j DROP + 
-   +#URG is set and ACK is not 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "pscan>+$IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "URG> " 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP +$IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP 
-   + 
-  #SYN and FIN are both set +# Block portscans: 
-  $IPTB -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "pscan 2> " +$IPTB -A INPUT -p tcp --tcp-flags ALL ALL  -j LOG --log-prefix "XMAS scan> " 
-  $IPTB -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP +$IPTB -A INPUT -p tcp --tcp-flags ALL ALL  -j DROP 
-   + 
-  #FIN and RST are both set +#no flag is set 
-  $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP +$IPTB -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NULL scan> " 
-  $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "fin/rts flag>" +$IPTB -A INPUT -p tcp --tcp-flags ALL NONE -j DROP 
-   + 
-   +$IPTB -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "pscan>
-  $IPTB -A INPUT -f -j LOG --log-prefix "FRAGMENT>+$IPTB -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP 
-  $IPTB -A INPUT -f -j DROP + 
-   +#SYN and FIN are both set 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j LOG --log-prefix "SYNFIN-SCAN>" +$IPTB -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "pscan 2> " 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP +$IPTB -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP 
-   + 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j LOG --log-prefix "NMAP-XMAS-SCAN>" +#FIN and RST are both set 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP +$IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "fin/rts flag>" 
-   +$IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL FIN -j LOG --log-prefix "FIN-SCAN>" + 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL FIN -j DROP +$IPTB -A INPUT -f -j LOG --log-prefix "Lost FRAGMENT>
-   +$IPTB -A INPUT -f -j DROP 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j LOG --log-prefix "NMAP-ID>" + 
-  $IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP +$IPTB -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j LOG --log-prefix "SYNFIN-SCAN>" 
-   +$IPTB -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP 
-  #SYN and RST are both set + 
-  $IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SYN-RST>+$IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j LOG --log-prefix "NMAP-XMAS-SCAN>" 
-  $IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP +$IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP 
-   + 
-  # Connection limit for SSH connections ( 1 connection per minute) +$IPTB -A INPUT -p tcp --tcp-flags ALL FIN -j LOG --log-prefix "FIN-SCAN>" 
-  $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT +$IPTB -A INPUT -p tcp --tcp-flags ALL FIN -j DROP 
-  $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP + 
-   +$IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j LOG --log-prefix "NMAP-ID>" 
-  # what we allow from Internet +$IPTB -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP 
-  for i in $TCP_PORTS+ 
 +#SYN and RST are both set 
 +$IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SYN-RST>
 +$IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 
 + 
 +# what we allow from Internet - TCP ports 
 +for i in $TCP_PORTS
  do  do
- $IPTB -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT + $IPTB -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT 
-    done +        done 
-   + 
-  $IPTB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT +# what we allow from Internet - UDP ports 
-   +$IPTB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT 
-  # identd requests + 
-  $IPTB -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset +# identd requests 
-   +$IPTB -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset 
-  # traceroute + 
-  $IPTB -A INPUT -p udp -m limit --limit 3/second  --sport 32769:65535 --dport 33434:33523 -j ACCEPT +# traceroute (udp - IOS, Uni*es) 
-   +$IPTB -A INPUT -p udp -m limit --limit 3/second  --sport 32769:65535 --dport 33434:33523 -j ACCEPT 
-  # Log and drop ICMP fragments (shouldn'happen at all, but often used for DoS) + 
-  $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix "Fragmented incoming ICMP> " +# Log and drop ICMP fragments (shouldn not happen at all, but often used for DoS) 
-  $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j DROP +$IPTB -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix "Fragmented incoming ICMP> " 
-   +$IPTB -A INPUT -i $INTERNET --fragment -p icmp -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp-frag -j ACCEPT 
-  # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough + 
-  $IPTB -A INPUT -p icmp --icmp-type 0  -m limit --limit 30/second -j ACCEPT +# thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough 
-  $IPTB -A INPUT -p icmp --icmp-type 3  -m limit --limit 30/second -j ACCEPT +# echo-reply 
-  $IPTB -A INPUT -p icmp --icmp-type 4  -m limit --limit 30/second -j ACCEPT +#$IPTB -A INPUT -p icmp --icmp-type 0 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp0 -j ACCEPT 
-  $IPTB -A INPUT -p icmp --icmp-type 11 -m limit --limit 30/second -j ACCEPT +# unreachables 
-  $IPTB -A INPUT -p icmp --icmp-type 12 -m limit --limit 30/second -j ACCEPT +$IPTB -A INPUT -p icmp --icmp-type -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp3 -j ACCEPT 
-  #icmp-traceroute +# source-quench (depreciated) 
-  $IPTB -A INPUT -p icmp --icmp-type 30 -m limit --limit 30/second -j ACCEPT +#$IPTB -A INPUT -p icmp --icmp-type -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp4 -j ACCEPT 
-   +timeout (forward loop prevention) 
-  echo-request +$IPTB -A INPUT -p icmp --icmp-type 11 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp11 -j ACCEPT 
-  $IPTB -A INPUT -p icmp --icmp-type 8  -m limit --limit 3/second -j ACCEPT +parameter problem 
-   +$IPTB -A INPUT -p icmp --icmp-type 12 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp12 -j ACCEPT 
-  # if the default policy is not DROP then we must use this +#icmp-traceroute 
-  #$IPTB -A INPUT -p icmp -j DROP +$IPTB -A INPUT -p icmp --icmp-type 30 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp30 -j ACCEPT 
-   +# echo-request 
-  # FORWARD TABLE +$IPTB -A INPUT -p icmp --icmp-type 8 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp8 -j ACCEPT 
-  $IPTB -P FORWARD DROP + 
-   +if the default policy is not DROP then we must use this 
-  # port forwarding +#$IPTB -A INPUT -p icmp -j DROP
-  #$IPTB -A FORWARD -p tcp -i $INTERNET -m multiport --dport $FWD_TCP_PORTS -j ACCEPT +
-   +
-  START / port forwarding +
-  # list forwarder ports in separate command lines +
-  #$IPTB -t nat -A PREROUTING -p tcp -i $INTERNET --dport 1214  -j DNAT --to 192.168.1.10 +
-  #$IPTB -t nat -A PREROUTING -p tcp -i $INTERNET --dport 6346  -j DNAT --to 192.168.1.10 +
-  END / port forwarding  +
-   +
-  # statefull firewall +
-  #$IPTB -A FORWARD -m state --state INVALID -j LOG --log-prefix "INVALID:+
-  $IPTB -A FORWARD -m state --state INVALID -j DROP +
-  $IPTB -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT +
-  $IPTB -A FORWARD -m state --state NEW -i ! $INTERNET -j ACCEPT +
-   +
-  $IPTB -A FORWARD -m pkttype --pkt-type broadcast -j DROP +
-  $IPTB -A FORWARD -m pkttype --pkt-type multicast -j DROP +
-   +
-  NAT (IP masquerading) +
-  #$IPTB -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE+
      
-  NAT but to certain IP (if we have multiple Internet IPs) +FORWARD TABLE 
-  $IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP+$IPTB -P FORWARD DROP
      
-  adsl +port forwarding 
-  #$IPTB -FORWARD --protocol tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu +#$IPTB -FORWARD -tcp -i $INTERNET -m multiport --dport $FWD_TCP_PORTS -j ACCEPT 
-  $IPTB -FORWARD -$INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu+ 
 +# START / port forwarding 
 +# list forwarder ports in separate command lines 
 +#$IPTB -t nat -A PREROUTING -p tcp -i $INTERNET --dport 1214  -j DNAT --to 192.168.1.10 
 +#$IPTB -t nat -A PREROUTING -p tcp -i $INTERNET --dport 6346  -j DNAT --to 192.168.1.10 
 +# END / port forwarding  
 + 
 +# statefull firewall 
 +#$IPTB -A FORWARD -m state --state INVALID -j LOG --log-prefix "INVALID: " 
 +$IPTB -FORWARD -m state --state INVALID -j DROP 
 +$IPTB -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 
 +$IPTB -A FORWARD -m state --state NEW ! -i $INTERNET -j ACCEPT 
 + 
 +$IPTB -A FORWARD -m pkttype --pkt-type broadcast -j DROP 
 +$IPTB -A FORWARD -m pkttype --pkt-type multicast -j DROP
      
-  # we allow only access to network cards (NIC) that have their MAC addresses listed +# NAT (IP masquerading) 
-  # in "valid-macs" file +#$IPTB -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE 
-  #for mac in `cat valid-macs`; do $IPTB -I FORWARD -m mac --mac-source $mac -j fwfilter ; done+ 
 +# NAT but to certain IP (if we have multiple Internet IPs) 
 +$IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP 
 + 
 +# ADSL (PPPoE connections) 
 +#$IPTB -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
 +$IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu 
 + 
 +# we allow only access to network cards (NIC) that have their MAC addresses listed 
 +# in "valid-macs" file 
 +#for mac in `cat valid-macs`; do $IPTB -I FORWARD -m mac --mac-source $mac -j fwfilter ; done 
 + 
 +# OUTPUT 
 +$IPTB -P OUTPUT DROP 
 + 
 +# only allow NEW and related connections out 
 +$IPTB -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      
-  # list the rules +# list the rules 
-  $IPTB -L -v -n+$IPTB -L -v -n --line 
 +$IPTB -t nat -L -v -n --line
      
-  echo $WE_HAVE_INTRANET > /proc/sys/net/ipv4/ip_forward+echo $WE_HAVE_INTRANET > /proc/sys/net/ipv4/ip_forward 
 + 
 +</code>
linux/firewall.txt · Last modified: 2019/04/15 10:18 by zagi
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready